Reasons why we don’t have a web version
Security and data control
Suspicious activity from a specific IP in the web version can lead to blocking of all keys from this IP. Association with unreliable or rule-breaking servers can harm the reputation of the developer or organization.
Transferring an API key for App Store Connect in a web application for ASO (App Store Optimization) can be particularly risky if scam applications are found on the same ASO service where data is stored. This can lead to serious consequences, including the blocking of all associated applications.
As a result, the sandbox environment (application) provides a more secure, controlled and reliable place to work with data and App Store Connect API keys compared to the web version. For ASO.dev users who value security and reliability, sandbox is the preferred choice as the key is accessible and used only from the user’s device and is protected by e2e encryption with user entered encryption code. Details
A more detailed description of the threats when transferring a key to the server in an accessible form:
Association with Dishonest Applications: If the IP address of the ASO service is associated with scam applications, using the same IP address for your API key could lead Apple to associate your application with these scam applications. This can raise suspicions and lead to the blocking of all applications associated with this IP. Apple has strict rules regarding the security and quality of applications in the App Store. Association with services linked to scam applications can be seen as a violation of these policies.
CORS Limitations(Cross-Origin Resource Sharing): CORS is a security mechanism used by web browsers to control which web pages are allowed to make requests to a domain other than the origin. Requests to the App Store Connect API on the web are available only through the service’s intermediate server.
IP Blocking: If Apple detects suspicious activity from a particular IP address (for example, if that IP is publishing many apps that violate App Store policies), Apple can block all requests from that IP. This may lead to blocking of all API keys associated with this IP. If your key is on such a server, your account may be blocked.
Reputational Risks: If your key is associated with a server that violates Apple’s policies or is used for fraudulent purposes, it could damage the reputation of your developer or your organization as a whole.
Because of all these risks and restrictions, it is important to carefully control and restrict access to your API keys and be careful when choosing the platform or service with which you share these keys.
Loss of Control of Key: Once you transfer your private key to a third-party server, you lose control over how that key is used or where it is stored.
Malicious Activity: If the server you provided the key to is compromised or owned by an attacker, your key could be used for unintended actions, such as modifying data in your App Store Connect account.
Unauthorized access: Even if the third-party server is honest, if there are vulnerabilities in the server, your key may fall into the hands of third parties.
Limited Control Over Security: You have no control over the security measures implemented by the third party server. While your environment may be secure and meet security standards, a third-party server may have deficiencies in this regard.
No Audit: You will have difficulty tracking exactly how your key is used on a third-party server, making it impossible to audit activity associated with that key.
Challenges in key management: If you need to revoke or replace a key, you may not be able to quickly do so on a third-party server.